Learning lessons from the June cyber-attack which impacted multiple NHS Trusts.
Earlier this summer, the NHS experienced a crisis that has been marked as a significant moment in its history.
On June 3rd, leading pathology testing organisation Synnovis fell victim to a devastating cyber-attack that resulted in major impacts affecting seven hospitals managed by two NHS trusts.
The attackers gained access to 300 million patient records, including sensitive blood test results for HIV and cancer. Leveraging this to issue a £40 million ransom demand, the attack disrupted 3,000 outpatient appointments at King’s College and Guy’s and St Thomas’ hospital trusts in the two weeks following.
However, it should come as no major surprise: Attacks on the healthcare sector have been ramping up in recent years, with the World Economic Forum highlighting that the healthcare sector now accounts for 14.2 percent of attacks on critical infrastructure.
Prime Targets
It’s no coincidence that cybercriminals are zeroing in on healthcare providers. Indeed, the industry has several unique characteristics and vulnerabilities that make it attractive to nefarious actors.
1 – Treasure troves of sensitive data
Healthcare providers are custodians of vast troves of highly confidential information – data that can be used as a powerful weapon. Critically, the sheer volume and nature of it can be leveraged to coerce healthcare organisations into paying ransoms or to exploit patients directly.
#2 – Life-or-death stakes that drive ransom payments
Cybercriminals are acutely aware of the high-stakes nature of attacks on healthcare systems. Disruptions in care for patients as a result of ransomware incidents occurred in 44% of attacks on healthcare and a 20% decrease in patient volume. This threat adds immense pressure to healthcare providers, making them more likely to pay ransoms.
#3 – Outdated IT and constrained budgets
Unlike private enterprises with deep pockets, the NHS also relies on public funding that doesn’t always stretch far enough. Although NHS England has invested £338 million in cybersecurity over the past seven years, a recent British Medical Association report highlighted that NHS doctors lose 13.5 million hours annually due to inefficiencies – equivalent to the time of 8,000 full-time doctors. Outdated IT systems not only hamper productivity but can equally increase vulnerabilities.
#4 – Decentralised, dynamic workforces
The healthcare sector’s digital footprint is vast and intricate. Patients, doctors, nurses and consultants all require access to sensitive data, with many health professionals working across various trusts, fulfilling multiple roles. In 2020, the NHS itself revealed the extent of the challenge, stating that NHSmail required 64,000 user account changes every month across over 13,000 health and care organisations in England and Scotland.
#5 – Balancing security with service accessibility
Finally, healthcare providers are also faced with the challenge of balancing robust security measures and system accessibility. While they must implement stringent controls, these must not compromise their primary mission: patient care. Mandating multi-factor authentication in accessing a patient portal, for example, could impede the ability of those patients unfamiliar with technology, such as older citizens, to access essential services.
Key Strategies to Strengthen Healthcare Defences
In the wake of the attack, former NCSC head Ciaran Martin has issued a stark warning: Unless the NHS upgrades its computer systems, it remains highly vulnerable to further cyber threats.
This isn’t just a cautionary note – it’s a wake-up call for all healthcare providers. Strengthening security controls is crucial to fend off the rising tide of cyberattacks, protect sensitive patient data and preserve the integrity of healthcare services. But where exactly should the NHS and other healthcare providers direct their efforts?
#1 – Get the basics right
First, it's crucial to implement fundamental cybersecurity measures including robust endpoint defences, regular software updates and routine backups. Consistency across the organisation is more important than chasing the latest “widget” that claims to solve all problems. Here, adhering to established frameworks such as GDPR, NIST and NIS2 can provide clear guidance on the critical aspects to address.
#2 – Develop refined processes and playbooks that focus on cyber resilience
Next, organisations should develop well-defined processes and playbooks. There is no tool that will prevent 100% of compromises. Comprehensive incident response plans and standard operating procedures are vital in ensuring that responses to breaches are prompt, precise and effective. In a healthcare setting, designing protocols to protect patient safety is critical, ensuring that services such as ambulatory and critical care are separated and resilient in the event of a successful cyber-attack.
#3 – Embrace continuous security assessments
It’s also important to perform frequent vulnerability scans and penetration tests to uncover potential security gaps. While many organisations ramp up spending on penetration testing towards the end of the financial year to meet compliance requirements, cybercriminals operate around the clock. Running pen tests as one-off exercises simply isn’t adequate. Instead, firms must regularly review the effectiveness of their security strategies.
#4 – Invest in education and training
Finally, organisations should invest in ongoing cybersecurity education and training. Given that around 90% of cyberattacks start with phishing, it’s crucial that healthcare staff are equipped with the knowledge and tools to recognise and counter potential threats. In doing so, they will become a formidable first line of defence.
Of course, it’s unrealistic to turn every NHS trust into an impenetrable fortress, as attackers continuously evolve their tactics. Instead, healthcare providers should focus on both preventing breaches and minimising their impacts.
By focusing on these key areas, health enterprises can work to better ensure that patient care remains uninterrupted and secure, even in the face of persistent cyber threats.
Written by
Mike Puglia
general manager, security products
Kaseya